As it is generally known, in the contemporary terminology of computer science and the Internet, the term “active content” refers to digital content that is either interactive and/or dynamic. One example of a unit of active content is a software agent. A software agent is program code that operates to perform an action or actions for an associated user, either periodically or when a triggering event or sequence of events occurs. Some existing systems use software agents to provide “out of office” functions that automatically generate responses to messages, such as electronic mail (“e-mail”) messages, that are sent to a user while that user is away and unable to personally respond. Such automatically generated response messages typically inform the message sender that the user cannot respond at the present time, that the user will be reading messages at a specified time in the future, and/or indicate an alternative user to contact for immediate assistance.
Units of active content, such as software agents, often have certain privileges (also sometimes referred to as “permissions”, or “capabilities”) associated with them. The privileges of a software agent typically flow from and are determined based on the identity of an associated user, e.g. a user that created the agent and/or that authorized the agent to execute. For example, in some cases, a software agent is created by a third party company, and then authorized to run by an end user, such as an e-mail application end user. Accordingly, the privileges of a software agent generally cannot exceed the privileges of the user for which that agent operates. For example, if a user is not allowed to create new databases manually, then that user should also not be allowed to create a new database through operation of an agent created by and/or authorized to run by that user. Privileges of a software agent may be stored as privilege indicators within the agent itself when the agent is created, based on the privileges available to the creating entity or user, and/or dynamically determined at run time based on the identity of the user associated with the agent, e.g. a user that created the agent and/or authorized the agent to run. Specific privileges may be represented using any specific type of indicator(s) (e.g. bits, flags, etc) of the programs (e.g. applications, Web sites, etc.) and/or data (e.g. databases, files, etc.) that the agent is allowed to access, and potentially also of the specific types of operations (e.g. reads, writes, modifies, etc.) that the agent is allowed to perform using the permitted programs and/or on the accessible data.
In order to ensure that a unit of active content, such as a software agent, operates securely, it may carry its own authentication credentials. The authentication credentials of a software agent allow confirmation that the privileges, content and/or capabilities of the agent have not been inappropriately modified. For example, a software agent may include a digital signature generated using the private encryption key of the user that created or enabled the agent. The digital signature is an encrypted digest of the contents of the software agent, including program code logic, and potentially also including the privilege indications contained in the agent. For example, a digital signature may be computed from the contents of a software agent using a one-way hash function such as MD5 (Message Digest 5) or SHA-1 (Secure Hash Algorithm 1), which is then encrypted with the private part of the user's public/private key pair. Such public/private key pairs are used in the RSA (Rivest-Shamir-Adleman) cryptography method, in which the private key is kept by an owner user, and the public key is published. To confirm that the software agent has not been tampered with, the associated user's public key can be used to decrypt the signature back into the original digest, which can then be compared to a new digest computed by an authenticating process. If the new digest matches the original, then the agent (including its privileges) has not been altered by an attacker.
A problem occurs in existing systems when a new version of program code is released to replace part of a digitally signed unit of active content. For example, when a user generates a software agent to automatically respond to e-mail messages sent to them while they are away, the agent may be digitally signed using the user's private key. During operation, in order to access the user's e-mail account, the agent presents the user's digital signature to the e-mail application program for authentication purposes. If a new version of software is released when such an agent is operating while the user is away, the user's private key cannot be accessed to re-sign the agent with the new software version, since the user is not available to log in and allow the private key to be accessed. Accordingly, at such a time, the new version of the agent cannot be digitally signed in the same way that the original agent was. Allowing an agent including a new version of software to run without being digitally signed by the associated user may cause its operations to be prevented since it cannot be authenticated by the e-mail application. Allowing the new version of the agent to be digitally signed using another private key may allow malicious changes to be made in privileges associated with the agent, thus creating a potential security problem. Moreover, if a another entity signs the new version of the agent, then it may be difficult or impossible for a subsequent update or other process to determine the correct attributes, such as privileges that were originally associated with the agent, to be associated with new versions of the agent.
These types of problems regarding updating digitally signed active content have resulted in some existing systems having to disable active software agents until the associated user logs in, at which point the updated versions can be digitally re-signed. In the case of software agents that are intended to continue operating even while an associated user is not logged in, such as an out of office agent that automatically answers e-mail messages while the user is away, this type of approach defeats the purpose of the agent.
It would accordingly be desirable to have a new system that allows software updates to digitally signed units of active content, such as software agents, that preserves originally defined attributes, such as privileges, and that does not require the associated user to re-sign the updated agent in order for a new version to become active.